There's nothing inherently centralised about the PKI, it's just that for convenience we all tend to agree up front on a list of organisations that we think will do a reasonable job of verifying various kinds of identity (email addresses, business details etc).
But nothing stops you deciding you're going to rely on a totally different set instead. If you can convince other people to use one of the signers you trust, you could abandon the existing CA's entirely and switch to some new ones. You could have thousands or tens of thousands if you wanted. The current payment protocol doesn't let you sign with multiple cert chains so it'd be a bit awkward to do a smooth migration (you'd have to jump all at once), but that could be fixed in a future extension if someone was serious about establishing a different PKI.
Using Namecoin as a form of identity would be possible (with an extension to the payment protocol), but is problematic for a lot of different reasons.
Firstly, Namecoin is just a way to own a string. There's nothing meaningful about those strings because it's first come first serve. If someone turns up and claims they work for Mt Gox, and they give you a payment request that is signed by the owner of the namecoin string "mtgox.bit" then it's possible they really do work for Mark, or, they could be random stranger who just grabbed the name first. There's no way to tell, which renders the signature useless.
Secondly, even if you learn about the validity of this namecoin name out-of-band somehow (like MtGox announced they registered the name on their blog), it's tricky to make arbitrary pieces of text meaningful identities. This is going to sound a bit Matrix, but .... what is a string? A sequence of Unicode code points? A set of pixels on a screen? The sound it makes when pronounced? To a computer it's the first one. To a human reading about stuff on the web it's the second, and to a human who learned about your company from an excited conference attendee it's the third.
This matters because the mismatch can cause security holes. The DNS system and cert authorities have been battling this problem for years. The simplest hack is this: the following two domain names are NOT equal to a naively written computer program:
www.google.com is not www.gooɡle.com
Whether you can see this easily or not depends on your font. I can't see it here on my Ubuntu machine except for the fact that the autolinker stopped at the 4th G. But in the code sample below it's more obvious:
Code:
import unicodedata
s = u'www.google.com is not www.gooɡle.com'
for i, c in enumerate(s): print i, '%04x' % ord(c), unicodedata.category(c), unicodedata.name(c)
This is just one of many such confusion attacks that are possible. Part of the reason certificate authorities get audited and checked is to ensure they're watching out for things like this. As far as I know, Namecoin has no protections against this sort of thing and if it became popular then you'd see scammers descend on it extremely fast, just like they did for SSL.
In short, identity is a hard problem. It's not as simple as "centralised vs decentralised" - the CA infrastructure has hundreds of players competing in a free market, and you can choose which ones you trust to do a good job. If you aren't happy with the existing set, make a new set, but just be aware that it's a way harder problem than keeping a database of strings to keys.
A web address? The first reaction is a phishing site
